{"title":"可信文件服务器的正式模型","authors":"J. C. Williams, G. Dinolt","doi":"10.1109/SECPRI.1989.36290","DOIUrl":null,"url":null,"abstract":"The authors present a formal, mathematical model for a trusted file server (TFS) for a multilevel secure distributed computer system. The goal is to produce formal verification from the top-level specification down through code for the entire system of which a TFS is one component. By viewing the TFS as a black box, it is possible to specify its security as a relation that must hold invariantly between an output stream of responses and an input stream of requests. Using the proposed approach, the authors have provided a small (perhaps minimal) set of compromise security constraints on the TFS. They have produced an implementation of the TFS in Gypsy and verified that the implementation satisfies this model. It is also shown that the specified relation is stronger than noninterference, and that a noninterference model cannot cover the security-relevant functionality of deleting or changing the size of a file.<<ETX>>","PeriodicalId":126792,"journal":{"name":"Proceedings. 1989 IEEE Symposium on Security and Privacy","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1989-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Formal model of a trusted file server\",\"authors\":\"J. C. Williams, G. Dinolt\",\"doi\":\"10.1109/SECPRI.1989.36290\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The authors present a formal, mathematical model for a trusted file server (TFS) for a multilevel secure distributed computer system. The goal is to produce formal verification from the top-level specification down through code for the entire system of which a TFS is one component. By viewing the TFS as a black box, it is possible to specify its security as a relation that must hold invariantly between an output stream of responses and an input stream of requests. Using the proposed approach, the authors have provided a small (perhaps minimal) set of compromise security constraints on the TFS. They have produced an implementation of the TFS in Gypsy and verified that the implementation satisfies this model. It is also shown that the specified relation is stronger than noninterference, and that a noninterference model cannot cover the security-relevant functionality of deleting or changing the size of a file.<<ETX>>\",\"PeriodicalId\":126792,\"journal\":{\"name\":\"Proceedings. 1989 IEEE Symposium on Security and Privacy\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1989-05-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings. 1989 IEEE Symposium on Security and Privacy\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SECPRI.1989.36290\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. 1989 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECPRI.1989.36290","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
The authors present a formal, mathematical model for a trusted file server (TFS) for a multilevel secure distributed computer system. The goal is to produce formal verification from the top-level specification down through code for the entire system of which a TFS is one component. By viewing the TFS as a black box, it is possible to specify its security as a relation that must hold invariantly between an output stream of responses and an input stream of requests. Using the proposed approach, the authors have provided a small (perhaps minimal) set of compromise security constraints on the TFS. They have produced an implementation of the TFS in Gypsy and verified that the implementation satisfies this model. It is also shown that the specified relation is stronger than noninterference, and that a noninterference model cannot cover the security-relevant functionality of deleting or changing the size of a file.<>
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
